Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Spy.HTML.Smitfraud.c


  • This topic is locked This topic is locked
12 replies to this topic

#1 ajax15

ajax15

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 20 June 2005 - 05:41 PM

Hi,
this is my first attempt at ridding my machine of this sorry pest. Running WinXP pro(SP1) with Norton(worthless in this instance) and free ZoneAlarm. I use Internet Explorer and System Restore is currently disabled. I read the How to remove the Smitfraud / Quicknavigate / Virtual Maid posted by Grinler found on these boards and also the HJT tutorial and I think with a little guidance I may be able to clean up this desktop.
I have the following tools ready to go:

HijackThis
Killbox
Smitfraud.reg
Hoster
Deldomains.inf
Cleanup!
ActiveScan

Ran SpyBot, Ad-Aware SE, Cleanup, Housecall, and ewido

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:22:17 AM, on 6/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\devldr32.exe
C:\spywaretools\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB164.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - Startup: mov06[1].exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks for the consideration!

Edited by ajax15, 21 June 2005 - 09:36 AM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:31 PM

Posted 21 June 2005 - 04:45 PM

Hello ajax15 and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as smitfix.reg :

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]

[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\VMHomepage]

[-HKEY_CLASSES_ROOT\VMHomepage.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]


Close Notepad.

Step #2

Remove installed programs using Add or Remove Programs in the Control Panel:
  • Click Start.
  • Click Control Panel.
  • Double-click Add or Remove Programs.
  • Look in the Currently installed programs box for each program listed below and if it is there:
  • Click on it to select it.
  • Click Change (or Change/Remove) button.
  • If you are prompted to confirm the removal of the program, click Yes.
Security IGuard
Virtual Maid
Search Maid

Download Hoster.zip and unzip it to your desktop. Do not run it yet.

Download DelDomains.zip and unzip it to your desktop. We will use this later on.

Step #3

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
    • C:\wp.exe
      C:\wp.bmp
      C:\bsw.exe
      C:\Windows\sites.ini
      C:\Windows\popuper.exe
      C:\Windows\System32\wldr.dll
      C:\Windows\System32\helper.exe
      C:\Windows\System32\intmon.exe
      C:\Windows\System32\shnlog.exe
      C:\Windows\System32\intmonp.exe
      C:\Windows\System32\msmsgs.exe
      C:\Windows\system32\msole32.exe
      C:\Windows\System32\ole32vbs.exe
      C:\WINDOWS\System32\msmsgs.exe
      C:\WINDOWS\System32\hpB164.tmp
  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
You system will reboot now. Reboot into Safe Mode by:

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\Search Maid\ <--folder
C:\Program Files\Virtual Maid\ <--folder
C:\Windows\System32\Log Files\ <--folder
C:\Program Files\Security IGuard\ <--folder

Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpB164.tmp (file missing)
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - Startup: mov06[1].exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

Start Hoster and click on the Restore Original Hosts button. Now, close Hoster.

Step #7

Locate the deldomains.inf file on your desktop. Right-click on it and choose Install from the popup menu.

Step #8

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #9

Locate smitfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Step #10

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean".

Step #11

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 ajax15

ajax15
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 22 June 2005 - 07:04 AM

I keep trying but no matter what I do, only some of the files copy to Killbox. Never the first three nor the last four. I can't figure out why. I followed the steps exactly...no good then tried copying from notepad and wordpad...same problem. very frustrating!

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:31 PM

Posted 22 June 2005 - 08:05 AM

Hi ajax15. That's ok. If you copy/past the entire list Killbox will sort them out. Not all files are always present on all machines. If one of the files is not present then Killbox will remove it from the list. That is normal and I probably should have mentioned that.

Go ahead and copy the entire list and then hit the Kill button and continue on iwth the reset of the steps.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 ajax15

ajax15
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 22 June 2005 - 10:33 AM

OK OT,

Here's the log from BitDefender (ran eTrust next but it found none)


[General]
App = "BitDefender Online Scanner v8"
Date = 22:06:2005
Time = 09:40:41
Scan Path = A:\;C:\;D:\;

[Engines Info]
Virus Definitions = 184433
Engine build = "AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)"
Scan plugins = 13
Archive plugins = 39
Unpack plugins = 4
E-mail plugins = 6
System plugins = 1

[Scan Statistics]
Folders = 2348
Files = 65388
Archives = 646
Packed files = 10059
Identified viruses = 3
Infected files = 41
Warnings = 0
Suspect files = 0
Disinfected files = 0
Deleted files = 43
Copied files = 0
Moved files = 0
Renamed files = 0
I/O Errors = 9

[Scan Settings]
SecondAction = Delete
FirstAction = Disinfect
Heuristics = 1
Enable Warnings = 1
Exclude Ext =
Extensions = exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;
Scan Emails = 1
Scan Archives = 1
Scan Packed = 1
Scan Files = 1
Scan Boot = 1
Verify Memory = 0

[Scan Results]
Line00000122 = "C:\Documents and Settings\chuck & julie\Start Menu\Programs\Startup\mov06[1].exe Infected with: BehavesLike:Win32.ExplorerHijack"
Line00000121 = "C:\Documents and Settings\chuck & julie\Start Menu\Programs\Startup\mov06[1].exe Disinfection failed"
Line00000120 = "C:\Documents and Settings\chuck & julie\Start Menu\Programs\Startup\mov06[1].exe Deleted"
Line00000119 = "C:\Program Files\Norton AntiVirus\Quarantine\6C962DCE.dll=>(Quarantine-2) Infected with: Trojan.Startpage.335"
Line00000118 = "C:\Program Files\Norton AntiVirus\Quarantine\6C962DCE.dll=>(Quarantine-2) Disinfection failed"
Line00000117 = "C:\Program Files\Norton AntiVirus\Quarantine\6C962DCE.dll=>(Quarantine-2) Deleted"
Line00000116 = "C:\Program Files\Norton AntiVirus\Quarantine\7D834FC8.exe=>(Quarantine-2) Infected with: Trojan.Dialer.GlobalAcces"
Line00000115 = "C:\Program Files\Norton AntiVirus\Quarantine\7D834FC8.exe=>(Quarantine-2) Disinfection failed"
Line00000114 = "C:\Program Files\Norton AntiVirus\Quarantine\7D834FC8.exe=>(Quarantine-2) Deleted"
Line00000113 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000112 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS1865.exe Disinfection failed"
Line00000111 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnUS1865.exe Deleted"
Line00000110 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.10\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000109 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.10\gdnUS1865.exe Disinfection failed"
Line00000108 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.10\gdnUS1865.exe Deleted"
Line00000107 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.11\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000106 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.11\gdnUS1865.exe Disinfection failed"
Line00000105 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.11\gdnUS1865.exe Deleted"
Line00000104 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.12\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000103 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.12\gdnUS1865.exe Disinfection failed"
Line00000102 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.12\gdnUS1865.exe Deleted"
Line00000101 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.13\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000100 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.13\gdnUS1865.exe Disinfection failed"
Line00000099 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.13\gdnUS1865.exe Deleted"
Line00000098 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.14\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000097 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.14\gdnUS1865.exe Disinfection failed"
Line00000096 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.14\gdnUS1865.exe Deleted"
Line00000095 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.15\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000094 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.15\gdnUS1865.exe Disinfection failed"
Line00000093 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.15\gdnUS1865.exe Deleted"
Line00000092 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.16\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000091 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.16\gdnUS1865.exe Disinfection failed"
Line00000090 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.16\gdnUS1865.exe Deleted"
Line00000089 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.17\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000088 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.17\gdnUS1865.exe Disinfection failed"
Line00000087 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.17\gdnUS1865.exe Deleted"
Line00000086 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.18\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000085 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.18\gdnUS1865.exe Disinfection failed"
Line00000084 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.18\gdnUS1865.exe Deleted"
Line00000083 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.19\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000082 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.19\gdnUS1865.exe Disinfection failed"
Line00000081 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.19\gdnUS1865.exe Deleted"
Line00000080 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000079 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS1865.exe Disinfection failed"
Line00000078 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnUS1865.exe Deleted"
Line00000077 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.20\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000076 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.20\gdnUS1865.exe Disinfection failed"
Line00000075 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.20\gdnUS1865.exe Deleted"
Line00000074 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.21\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000073 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.21\gdnUS1865.exe Disinfection failed"
Line00000072 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.21\gdnUS1865.exe Deleted"
Line00000071 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.22\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000070 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.22\gdnUS1865.exe Disinfection failed"
Line00000069 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.22\gdnUS1865.exe Deleted"
Line00000068 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.23\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000067 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.23\gdnUS1865.exe Disinfection failed"
Line00000066 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.23\gdnUS1865.exe Deleted"
Line00000065 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.24\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000064 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.24\gdnUS1865.exe Disinfection failed"
Line00000063 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.24\gdnUS1865.exe Deleted"
Line00000062 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.25\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000061 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.25\gdnUS1865.exe Disinfection failed"
Line00000060 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.25\gdnUS1865.exe Deleted"
Line00000059 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.26\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000058 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.26\gdnUS1865.exe Disinfection failed"
Line00000057 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.26\gdnUS1865.exe Deleted"
Line00000056 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.27\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000055 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.27\gdnUS1865.exe Disinfection failed"
Line00000054 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.27\gdnUS1865.exe Deleted"
Line00000053 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.28\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000052 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.28\gdnUS1865.exe Disinfection failed"
Line00000051 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.28\gdnUS1865.exe Deleted"
Line00000050 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.29\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000049 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.29\gdnUS1865.exe Disinfection failed"
Line00000048 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.29\gdnUS1865.exe Deleted"
Line00000047 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000046 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS1865.exe Disinfection failed"
Line00000045 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gdnUS1865.exe Deleted"
Line00000044 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.30\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000043 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.30\gdnUS1865.exe Disinfection failed"
Line00000042 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.30\gdnUS1865.exe Deleted"
Line00000041 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.31\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000040 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.31\gdnUS1865.exe Disinfection failed"
Line00000039 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.31\gdnUS1865.exe Deleted"
Line00000038 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.32\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000037 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.32\gdnUS1865.exe Disinfection failed"
Line00000036 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.32\gdnUS1865.exe Deleted"
Line00000035 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.33\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000034 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.33\gdnUS1865.exe Disinfection failed"
Line00000033 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.33\gdnUS1865.exe Deleted"
Line00000032 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.34\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000031 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.34\gdnUS1865.exe Disinfection failed"
Line00000030 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.34\gdnUS1865.exe Deleted"
Line00000029 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.35\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000028 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.35\gdnUS1865.exe Disinfection failed"
Line00000027 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.35\gdnUS1865.exe Deleted"
Line00000026 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.36\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000025 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.36\gdnUS1865.exe Disinfection failed"
Line00000024 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.36\gdnUS1865.exe Deleted"
Line00000023 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000022 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS1865.exe Disinfection failed"
Line00000021 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gdnUS1865.exe Deleted"
Line00000020 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000019 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gdnUS1865.exe Disinfection failed"
Line00000018 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.5\gdnUS1865.exe Deleted"
Line00000017 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000016 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gdnUS1865.exe Disinfection failed"
Line00000015 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.6\gdnUS1865.exe Deleted"
Line00000014 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.7\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000013 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.7\gdnUS1865.exe Disinfection failed"
Line00000012 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.7\gdnUS1865.exe Deleted"
Line00000011 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000010 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gdnUS1865.exe Disinfection failed"
Line00000009 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.8\gdnUS1865.exe Deleted"
Line00000008 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.9\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000007 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.9\gdnUS1865.exe Disinfection failed"
Line00000006 = "C:\WINDOWS\Downloaded Program Files\CONFLICT.9\gdnUS1865.exe Deleted"
Line00000005 = "C:\WINDOWS\Downloaded Program Files\gdnUS1865.exe Infected with: Trojan.Dialer.GlobalAcces"
Line00000004 = "C:\WINDOWS\Downloaded Program Files\gdnUS1865.exe Disinfection failed"
Line00000003 = "C:\WINDOWS\Downloaded Program Files\gdnUS1865.exe Deleted"
Line00000002 = "C:\WINDOWS\system32\msmsgs.exe Infected with: BehavesLike:Win32.ExplorerHijack"
Line00000001 = "C:\WINDOWS\system32\msmsgs.exe Disinfection failed"
Line00000000 = "C:\WINDOWS\system32\msmsgs.exe Deleted"


Here's the new logfile

Logfile of HijackThis v1.99.1
Scan saved at 10:20:43 AM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\spywaretools\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Looks like I've got more cleaning to do huh?
Also, seems I've lost the ability to set the tool bar to the XP appearance. I only have the windows classic option.

Going to bed now, working night shifts this week. Will check back this evening...Thanks for all the help thus far!

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:31 PM

Posted 22 June 2005 - 12:15 PM

Hi ajax15. that looks much better. We still have a couple of items to clean up so let's do that now.

Step #1

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
This file should be gone but let's verify that it is and if it is not hten delete it:C:\WINDOWS\System32\msmsgs.exe
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 ajax15

ajax15
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 22 June 2005 - 02:46 PM

How does this look OT?

Logfile of HijackThis v1.99.1
Scan saved at 2:39:08 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\spywaretools\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 ajax15

ajax15
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 22 June 2005 - 09:20 PM

Things're working sooooo much better!
I seem to have some sort of problem with Norton AV 2005 since the last "live update" session. At boot-up windows installer starts but hangs. After about 20 seconds or so I get an error telling me the repair option isn't supported and to uninstall and reload Norton AV.

The other thing that's puzzling me is that during the last purge procedures i seem to have lost some display functionality. On my display properties window, under the Appearance tab, the Windows and buttons pull down menu only has the Windows classic style option. The WindowsXP style option has dissappeared! Do you know how I can restore this feature or is this a topic for a different board?

Again, many thanks OT for the assistance...Paypal payment forthcoming too!

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:31 PM

Posted 23 June 2005 - 09:19 AM

Hey ajax15. If you are getting that error message on startup I would recommend uninstalling and then reinstalling Norton. Most of these nastier infections can and do damage AV products as their first order of business so that they can run freely.

As to the XP Style issue, try this:

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoVisualStyleChoice"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
  00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
  6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
  00,00,00
"ColorName"="NormalColor"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=dword:00000000


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 ajax15

ajax15
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 23 June 2005 - 12:56 PM

Nope, OT
regfix.reg had ZERO effect on the taskbar style glitch. I found a thread at this site which has several ideas for resolving that issue.

Furthermore, I'll be downloading a new copy of NAV to fix up that little bug.

I'll confirm complete success when I attain it!

Thanks,
AJAX

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:31 PM

Posted 23 June 2005 - 03:35 PM

Hi ajax15. Yeah, I would post that quesiton inthe XP fourm. Those people can deal with OS issues much better than us malware geeks. The only other thing I can think of is to make sure that the Themes srvice is running.

To finish up the malware portion we have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall and a good antivirus application like the ones you are currently using. It is critical to have both a firewall and antivirus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 ajax15

ajax15
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 23 June 2005 - 04:07 PM

100% SUCCESS!!

the taskbar style glitch was due to corrupt/missing luna.msstyles file in c:\windows\resources\themes\luna

fixed it with these steps:

Make a new folder in the root of your c: drive (ex. c:\temp). This is where we are going to extract a good luna.msstyles file.
Put in your XP Install CD. If it autoruns just close it. Go to a command prompt. (ex. Start, Run, Type command, and hit enter.)
You should now see something like this C:\DOCUME~1\youruser>.
Type in the name of the CD Drive you put the disk in followed by a colon (ex. D:).
Type in cd i386.
Now type in expand luna.ms_ c:\temp.
You should now have expanded the file into your temp folder.
Type exit to close the command prompt.
Go to your temp folder and rename luna.ms_ to luna.msstyles.
Double click on it to set your appearance to XP to see if it works. If it does copy the file to your c:\windows\resources\themes\luna folder.

the other issue was resolved upon removing/reloading Norton AV

Thanks OT,
great help! :thumbsup:

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:31 PM

Posted 24 June 2005 - 09:11 AM

You're very welcome ajax15. I'm glad that we could help. I have made a note of your steps to fix the theme's issue so if it comes up again I will have the user try that. Thanks!

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users